We kicked off 2021 with the Florida water plant breach1 and Molson Coors2 operational attack, proving once again that all industries are at risk for operational disruption when it comes to operational security. . Anyone who believes they have their internet of things (IoT) and operational technology (OT) security risk are under control is a threat actor’s dream come true. IoT and OT environments pose a much higher risk than IT when it comes to protecting the environment and public safety. It shouldn’t take another attack on a water treatment plant or a food and beverage company before security and risk leaders adopt a continuous improvement mindset to cybersecurity risk in their digital transformation efforts. Over the few weeks, we will take a journey on managing IoT and OT security risk.
Most security and risk leaders have awareness. But, the journey can feel overwhelming at times.
We will start with the beginning of the technology journey, asset discovery. You can’t protect, what you can’t see, making asset discovery a fundamental imperative.
Asset discovery and management is the foundation of good IoT and OT security. Asset management functionality is crucial to forming a trusted IoT network for organizations, but currently, it’s not commonly overlooked.
Asset discovery capabilities enable organizations to detect IoT devices in networks when these devices are part of proprietary or non-IT-standard engineering networks, or if they are not continuously connected. Building an effective IoT asset database complete with attributes and entitlements for access by those devices is a major requirement of identity and access management.
We sat down with Mark Carrigan, the chief operating officer of PAS Global LLC (PAS is part of Hexagon AB), who shared that asset discovery means “discovering level zero to two devices.” He went on to explain that this means knowing the “hardware, software and firmware, manufacturing model and versions and serial numbers” to achieve true asset discovery. All these elements are vital to developing solid asset discovery. For example he said, “just knowing it’s a Rockwell PLC isn’t enough,” Mark concludes.
There is also a lack of security controls for new OT, and the IoT has been brought about in part by OEM’s lack of standards, customizations, and protocols. Thanks to an increasing number of security vendors offering asset discovery and network topology mapping platforms, the next step often involves a proof of concept (POC) effort, with one or more solutions. However, this requires a tight partnership with functional asset owners, IT, and the vendor.
- Engage with vendors that offer technical support and help with professional services during POC trials to mitigate risk and ensure a smooth alternative analysis.
- Account for asset discovery management by conducting a physical inventory and reconciling it to assets identified in your POC.
Market Guide for Operational Technology Security
Emerging Technologies and Trends Impact Radar: Security in Manufacturing
Establish Successful Executive Security Governance in an Integrated IT/OT Environment
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Nice blog to kick off the series! There are also a number of complicating factors in achieving a good asset inventory, including (1) the use of passive collection only provides as much detail as is available on the wire (so firmware, model, serial number CIs may not be present), (2) there are many “nested devices” that don’t sit on the TCP/IP network, and (3) in remote sites it may not be cost effective to use some collection methods. That’s why it’s important to leverage a variety of collection methods (passive, active, project file) to get both breadth and depth of visibility. Without depth of visibility, security teams may have a “feel good” moment without the right asset information to drive action. Looking forward to the next part in the series.